When undertaking a forensic examination of a computer system it is essential that the installed hard drives from the systems are copied in a manner that preserves the integrity of its stored data. This copy is referred to as a forensic duplicate or a data clone. A data clone is an exact bit by bit copy of the digital recording media and includes areas not allocated for use by the installed user application software and areas of deleted data.
Purpose of Data Cloning.
Undertaking an examination using a forensic clone preserves vital source data evidence. It is therefore imperative that two clones are created. The source drive/s being held in a safe and secure environment as a case master record
The Data Cloning Process.
Cloning data on a hard drive can be a relatively time-consuming process, and needs to be undertaken in a stable laboratory environment rather than at the scene.The data cloning process is a straightforward operation. The suspect drive is known and labelled as the ”source“ hard drive and the hard drive to be used as a clone is labelled the “destination” drive. The destination drive must be at least as large as the source drive and must be cleaned of any legacy data. The source drive is removed from the computer and connected using a cable to a cloning device that facilitates write blocking. Once connexions are made, the process of data cloning is started with the press of a couple of buttons and when complete, a short report is produced that records a unique hash value for the source and clone and these need to be identical.
Chain of Custody.
A chain of custody is essential to maintain the integrity of the evidence. The chain of custody accounts for each evidence item from the time it’s collected to the time it’s presented in court (should that become necessary). The chain of custody process involves formal paperwork and labeling of physical items. Each time evidence items change hands must be recorded on the paperwork that accompanies them .